WordPress OpenSheetMusicDisplay Plugin, Stored XSS, CVE-2025-5235 (Critical)

Listen to this Post

🐢▶️ Listen🚀

How CVE-2025-5235 Works

The OpenSheetMusicDisplay plugin (≤1.4.0) fails to sanitize the `className` parameter, allowing authenticated attackers (Contributor+) to inject malicious JavaScript. When a victim views a compromised page, the payload executes in their browser, enabling session hijacking, defacement, or malware delivery. The vulnerability stems from improper output escaping in the frontend rendering logic, where user-supplied `className` values are directly embedded in the DOM without validation.

DailyCVE Form:

Platform: WordPress Plugin
Version: ≤1.4.0
Vulnerability: Stored XSS
Severity: Critical
Date: 2025-06-04

Prediction: Patch by 2025-07-15

What Undercode Say:

Exploitation:

// Proof-of-Concept XSS via className
fetch('/wp-json/osmd/v1/save', {
method: 'POST',
body: JSON.stringify({
className: '"><script>alert(document.cookie)</script>'
})
});

Mitigation:

1. Temporary Fix:

// Add input sanitization in theme's functions.php
add_filter('osmd_classname', 'esc_attr');

2. Detection:

Grep for vulnerable code
grep -r "className.=" /var/www/html/wp-content/plugins/open-sheet-music-display/

3. WAF Rule:

location ~ /wp-content/plugins/open-sheet-music-display/ {
deny if ($args ~ "className.script");
}

4. Patch Verification:

Check plugin version
wp plugin get open-sheet-music-display --field=version

5. Post-Exploit Analysis:

-- Audit database for malicious entries
SELECT FROM wp_posts WHERE post_content LIKE '%<script%';

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram